Intrusion Isolation Strategy

Scenario Device Category Isolation Strategy Rationale, Scope, and Justification Isolate Entire Network Rationale for Network Isolation Choice
Single Device with Malware Managed PC
  • Isolate device from network via endpoint management (e.g., EDR), restricting both ingress and egress.
  • Disable network interfaces remotely.
  • Quarantine device in a VLAN with no external access.
  • Maintain log access for investigation.
Rationale, Scope, and Justification

Rationale: A single managed PC with malware poses a localized threat that could spread laterally or exfiltrate data. EDR tools enable precise isolation, restricting both ingress (threat actor control) and egress (data exfiltration). Disabling network interfaces and using a quarantine VLAN ensure no communication occurs, while logs support forensics.

Scope: Isolation is limited to the infected device, with no broader network impact needed.

Justification: This targeted approach is proportionate, minimizing disruption while addressing both exfiltration and threat actor access. Network-wide measures are overkill for a single device.

 No

Rationale: Device isolation via EDR and VLAN restricts both ingress (preventing threat actor C2 access) and egress (preventing data exfiltration). The threat is localized, with no evidence of network-wide compromise.

Scope: No network-wide rule is applied; isolation is device-specific.

Justification: Device-level isolation sufficiently mitigates both risks, making network-wide ingress/egress restrictions unnecessary and disruptive.
Single Device with Malware Unmanaged PC
  • Block device at network level (e.g., MAC address filtering), restricting both ingress and egress.
  • Quarantine device in a restricted VLAN with no external access.
  • Notify user to disconnect device from network.
  • Restrict internet access for device IP/MAC.
Rationale, Scope, and Justification

Rationale: Unmanaged PCs lack centralized control, requiring network-level isolation. MAC/IP filtering restricts both ingress (threat actor control) and egress (data exfiltration). A restricted VLAN ensures isolation, and user notification encourages physical disconnection.

Scope: Isolation targets the single unmanaged device, with no organization-wide measures needed.

Justification: This strategy contains the threat without broad network changes, proportionate to a single-device issue.

 No

Rationale: Network-level blocking and VLAN quarantine restrict both ingress (C2 access) and egress (exfiltration) for the affected PC. The threat is confined to one device, with no network-wide impact.

Scope: No network-wide rule is applied; isolation is device-specific.

Justification: Device-level measures adequately address both risks, avoiding unnecessary network-wide restrictions.
Multiple Devices with Malware Managed PC
  • Isolate all affected devices via EDR, restricting both ingress and egress.
  • Place devices in a quarantine VLAN with no external access.
  • Segment network to limit lateral movement.
  • Scan all managed devices for similar indicators of compromise (IOCs).
Rationale, Scope, and Justification

Rationale: Multiple infected managed PCs suggest a coordinated attack or worm-like malware. EDR isolation restricts ingress (C2 access) and egress (exfiltration) for affected devices. A quarantine VLAN and network segmentation limit spread, and IOC scanning detects additional infections.

Scope: Isolation includes all infected devices and exposed segments, leaving unaffected segments operational.

Justification: This balanced approach targets affected devices and segments, avoiding disruption of unaffected systems while addressing widespread risks.

 Deny Both Ingress and Egress from all PCs

Rationale: Multiple infected PCs increase risks of data exfiltration (outbound to C2 servers) and threat actor control (inbound C2 communication). Device isolation covers known infections, but network-wide ingress/egress restrictions prevent undetected PCs from communicating externally.

Scope: The rule applies to all PCs (managed and unmanaged), enforced via firewall or router policies.

Justification: The broad scope is justified by the potential for undetected infections, balancing both risks without fully isolating the network.
Multiple Devices with Malware Unmanaged PC
  • Block all affected devices by MAC/IP at network level, restricting both ingress and egress.
  • Place devices in a restricted VLAN with no external access.
  • Broadcast user notifications to disconnect devices.
  • Implement temporary network-wide ingress/egress filtering to block malicious traffic.
Rationale, Scope, and Justification

Rationale: Multiple unmanaged PCs with malware indicate a significant threat. MAC/IP blocking restricts ingress (C2 access) and egress (exfiltration). A restricted VLAN isolates devices, and network-wide filtering prevents external communication. User notifications encourage disconnection.

Scope: Isolation targets affected unmanaged devices, with temporary network-wide filtering.

Justification: This proportionate strategy focuses on affected devices while adding network-wide filtering to mitigate risks without full internet shutdown.

 Deny Both Ingress and Egress from all PCs

Rationale: Malware on multiple unmanaged PCs risks both exfiltration (outbound data) and threat actor control (inbound C2). Device blocking covers known infections, but network-wide ingress/egress restrictions ensure undetected devices are contained.

Scope: The rule applies to all PCs (managed and unmanaged), enforced via firewall or router policies.

Justification: The broad scope is appropriate for a spreading threat, addressing both risks while preserving some functionality.
Firewall Compromised Network Device
  • Disable external interfaces of the compromised firewall, restricting both ingress and egress.
  • Route traffic through a backup firewall or temporary ruleset.
  • Isolate firewall management interface in a restricted VLAN.
  • Conduct forensic analysis offline.
Rationale, Scope, and Justification

Rationale: A compromised firewall threatens the entire network. Disabling external interfaces restricts ingress (threat actor control) and egress (potential exfiltration). A backup firewall maintains connectivity, and isolating the management interface prevents tampering.

Scope: Isolation targets the compromised firewall, with temporary traffic rerouting.

Justification: This proportionate approach isolates the critical device while maintaining functionality via backups, avoiding complete shutdown.

 Deny Both Ingress and Egress from the entire network

Rationale: A compromised firewall risks external threat actor control (ingress for manipulation) and potential exfiltration if misconfigured (egress). Network-wide ingress/egress restrictions ensure safety during rerouting to a backup firewall.

Scope: The rule applies to the entire network, enforced via the backup firewall or temporary ruleset.

Justification: The network-wide scope addresses both risks, aligning with the firewall’s critical role, while backups prevent total disruption.
VPN User Identity Compromised Managed PC
  • Revoke compromised user’s VPN credentials.
  • Force re-authentication for all VPN sessions.
  • Monitor logs for suspicious activity from the user’s device.
  • Isolate device via EDR, restricting both ingress and egress, if further compromise is detected.
Rationale, Scope, and Justification

Rationale: A compromised VPN user identity risks unauthorized access. Revoking credentials and forcing re-authentication prevent misuse. Monitoring logs detects threats, and device isolation (restricting ingress and egress) is a fallback for further compromise.

Scope: Isolation targets the user’s credentials and device, with minimal impact on others.

Justification: This strategy addresses the specific threat without disrupting the entire VPN or network, which would be excessive.

 No

Rationale: Revoking credentials prevents threat actor access, and device isolation (if needed) restricts both ingress (C2 access) and egress (exfiltration). The threat is limited to one user, with no network-wide impact.

Scope: No network-wide rule is applied; isolation is credential- and device-specific.

Justification: Credential revocation and targeted isolation suffice, avoiding disruptive network-wide restrictions.
VPN User Identity Compromised Unmanaged PC
  • Revoke compromised user’s VPN credentials.
  • Block device IP/MAC from VPN access, restricting both ingress and egress.
  • Force re-authentication for all VPN sessions.
  • Notify user to secure their device.
Rationale, Scope, and Justification

Rationale: Unmanaged PCs require network-level blocking (IP/MAC) to restrict ingress (threat actor access) and egress (exfiltration). Revoking credentials and forcing re-authentication prevent further access. User notification encourages cleanup.

Scope: Isolation focuses on the user’s credentials and device, with no broad VPN disruption.

Justification: This proportionate approach targets the specific threat without affecting other VPN users.

 No

Rationale: Credential revocation and device blocking (restricting ingress and egress) prevent both threat actor access and exfiltration. The compromise is localized to one user’s device.

Scope: No network-wide rule is applied; isolation is credential- and device-specific.

Justification: Targeted measures are sufficient, avoiding unnecessary network-wide restrictions.
VPN User Identity Compromised Network Device
  • Revoke compromised user’s VPN credentials.
  • Isolate VPN server management interface, restricting both ingress and egress.
  • Force re-authentication for all VPN sessions.
  • Audit VPN server logs for unauthorized changes.
Rationale, Scope, and Justification

Rationale: A compromised VPN user identity risks server access. Revoking credentials and forcing re-authentication limit damage. Isolating the management interface (restricting ingress and egress) prevents tampering, and log audits detect compromise.

Scope: Isolation targets the user’s credentials and VPN server management, with minimal user impact.

Justification: This balanced strategy addresses the threat without shutting down the VPN service.

 No

Rationale: Credential revocation and server management isolation (restricting ingress and egress) prevent both threat actor control and potential exfiltration via the server. The threat is confined to one user’s access.

Scope: No network-wide rule is applied; isolation is credential- and server-specific.

Justification: Targeted measures suffice, avoiding disruptive network-wide restrictions.
Domain User Compromised Managed PC
  • Disable compromised user account.
  • Force password reset for the account.
  • Isolate user’s device via EDR, restricting both ingress and egress.
  • Monitor domain logs for suspicious activity.
Rationale, Scope, and Justification

Rationale: A compromised domain user account risks unauthorized access. Disabling the account and resetting the password prevent misuse. EDR isolation restricts ingress (threat actor control) and egress (exfiltration), and log monitoring detects related threats.

Scope: Isolation targets the user’s account and device, with no domain-wide impact.

Justification: This proportionate approach addresses the specific compromise without affecting other users.

 No

Rationale: Disabling the account and isolating the device (restricting ingress and egress) prevent both threat actor access and exfiltration. The threat is limited to one user’s account and device.

Scope: No network-wide rule is applied; isolation is account- and device-specific.

Justification: Targeted measures are sufficient, avoiding disruptive network-wide restrictions.
Domain User Compromised Unmanaged PC
  • Disable compromised user account.
  • Block device IP/MAC from network access, restricting both ingress and egress.
  • Force password reset for the account.
  • Notify user to secure their device.
Rationale, Scope, and Justification

Rationale: Unmanaged PCs require network-level blocking to restrict ingress (threat actor access) and egress (exfiltration). Disabling the account and resetting the password prevent domain access. User notification encourages cleanup.

Scope: Isolation focuses on the user’s account and device, with no broader impact.

Justification: This strategy targets the specific threat without disrupting domain operations.

 No

Rationale: Account disabling and device blocking (restricting ingress and egress) prevent both threat actor access and exfiltration. The compromise is localized to one user’s device.

Scope: No network-wide rule is applied; isolation is account- and device-specific.

Justification: Targeted measures are sufficient, avoiding unnecessary network-wide restrictions.
Domain Administrator Compromised Managed PC
  • Disable compromised admin account.
  • Isolate admin’s device via EDR, restricting both ingress and egress.
  • Force password resets for all admin accounts.
  • Implement emergency network segmentation.
Rationale, Scope, and Justification

Rationale: A compromised domain admin account threatens the entire domain. Disabling the account and isolating the device (restricting ingress and egress) prevent further damage. Resetting admin passwords mitigates credential reuse, and segmentation limits lateral movement.

Scope: Isolation includes the admin’s account, device, and network segments.

Justification: This approach is necessary due to the high risk, balancing security and continuity with segmentation.

 Deny Both Ingress and Egress from all PCs

Rationale: An admin account’s privileges risk massive exfiltration (outbound data) and threat actor control (inbound C2). Device isolation and segmentation help, but network-wide ingress/egress restrictions prevent any PC from being exploited.

Scope: The rule applies to all PCs (managed and unmanaged), enforced via firewall or router policies.

Justification: The broad scope is justified by the admin’s access, addressing both risks while preserving some functionality.
Domain Administrator Compromised Unmanaged PC
  • Disable compromised admin account.
  • Block device IP/MAC from network access, restricting both ingress and egress.
  • Force password resets for all admin accounts.
  • Implement emergency network segmentation.
Rationale, Scope, and Justification

Rationale: Unmanaged devices require network-level blocking to restrict ingress (threat actor access) and egress (exfiltration). The high risk of admin compromise necessitates segmentation and password resets.

Scope: Isolation targets the admin’s account, device, and network segments.

Justification: This proportionate strategy addresses the severe threat while maintaining some functionality.

 Deny Both Ingress and Egress from all PCs

Rationale: The admin account on an unmanaged PC risks exfiltration (outbound) and threat actor control (inbound). Device blocking and segmentation are insufficient alone; network-wide ingress/egress restrictions ensure containment.

Scope: The rule applies to all PCs (managed and unmanaged), enforced via firewall or router policies.

Justification: The broad scope is appropriate given the admin’s access, addressing both risks without full isolation.
Domain Controller Compromised Managed PC
  • Isolate domain controller from network, restricting both ingress and egress.
  • Disable all non-essential domain accounts.
  • Implement full network segmentation.
  • Promote backup domain controller (if available).
Rationale, Scope, and Justification

Rationale: A compromised domain controller is catastrophic, controlling authentication and policies. Isolating it (restricting ingress and egress) prevents damage, disabling accounts limits access, and segmentation contains the threat. A backup controller restores functionality.

Scope: Isolation affects the domain controller, accounts, and network segments.

Justification: This aggressive approach is justified by the controller’s role, avoiding complete shutdown with a backup.

 Deny Both Ingress and Egress from the entire network

Rationale: A compromised domain controller risks massive exfiltration (outbound data) and threat actor control (inbound C2/exploitation). Network-wide ingress/egress restrictions prevent both while allowing internal operations with a backup controller.

Scope: The rule applies to the entire network, enforced via firewall or router policies.

Justification: The network-wide scope is necessary due to the controller’s critical role, addressing both risks without total isolation.
Domain Controller Compromised Unmanaged PC
  • Isolate domain controller from network, restricting both ingress and egress.
  • Block all unmanaged devices from domain access, restricting both ingress and egress.
  • Implement full network segmentation.
  • Promote backup domain controller (if available).
Rationale, Scope, and Justification

Rationale: Unmanaged PCs are blocked (restricting ingress and egress) to prevent interaction with the compromised controller. Other steps mirror managed PCs due to the domain-wide threat.

Scope: Isolation includes the domain controller, unmanaged devices, and network segments.

Justification: This strategy contains the severe threat while maintaining functionality via a backup controller.

 Deny Both Ingress and Egress from the entire network

Rationale: The compromised controller and unmanaged devices risk exfiltration (outbound) and threat actor control (inbound). Network-wide ingress/egress restrictions prevent both while preserving internal operations.

Scope: The rule applies to the entire network, enforced via firewall or router policies.

Justification: The network-wide scope is justified by the catastrophic risk, avoiding complete isolation with a backup controller.
Domain Controller Compromised Network Device
  • Isolate domain controller from network, restricting both ingress and egress.
  • Restrict network device authentication to local credentials.
  • Implement full network segmentation.
  • Monitor network device logs for suspicious activity.
Rationale, Scope, and Justification

Rationale: Network devices may use domain authentication, so local credentials prevent compromise. Segmentation and monitoring limit threats, and controller isolating (restricting ingress and egress) contains the primary threat.

Scope: Isolation includes the domain controller and network device authentication, with network-wide segmentation.

Justification: This proportionate approach addresses the critical threat while maintaining device functionality.

 Deny Both Ingress and Egress from the entire network

Rationale: A compromised domain controller risks exfiltration (outbound via devices) and threat actor control (inbound C2). Network-wide ingress/egress restrictions prevent both, ensuring safety with local credentials and segmentation.

Scope: The rule applies to the entire network, enforced via firewall or router policies.

Justification: The network-wide scope is necessary given the controller’s role, addressing both risks while preserving operations.
Zero-Day Against Citrix/RDS/VMware View Logon Interface, No Patch Managed PC
  • Isolate affected remote access server from the internet, restricting both ingress and egress.
  • Disable public-facing logon interface temporarily.
  • Monitor logs for exploit attempts.
  • Implement network segmentation to protect internal systems.
Rationale, Scope, and Justification

Rationale: A zero-day exploit with no patch poses a severe risk of unauthorized access to the remote access server. Isolating the server (restricting ingress and egress) prevents threat actor control and exfiltration. Disabling the logon interface stops exploitation, and segmentation protects internal systems.

Scope: Isolation targets the remote access server and affected network segments, with minimal impact on managed PCs not using the service.

Justification: This aggressive approach is necessary due to the unmitigated vulnerability, balancing security with limited disruption via segmentation.

 Deny Both Ingress and Egress from the remote access server

Rationale: The zero-day risks both threat actor access (inbound exploitation) and exfiltration (outbound data if access is gained). Denying ingress and egress from the server prevents both while allowing internal operations to continue via other systems.

Scope: The rule applies to the remote access server, enforced via firewall or router policies.

Justification: Targeting the server is proportionate, addressing both risks without disrupting unaffected systems.
Zero-Day Against Citrix/RDS/VMware View Logon Interface, No Patch Unmanaged PC
  • Isolate affected remote access server from the internet, restricting both ingress and egress.
  • Disable public-facing logon interface temporarily.
  • Notify users on unmanaged devices to avoid accessing the service.
  • Implement network segmentation to protect internal systems.
Rationale, Scope, and Justification

Rationale: Unmanaged PCs may attempt to access the vulnerable service, but the primary threat is at the server. Isolating the server (restricting ingress and egress) prevents exploitation, and disabling the logon interface stops attacks. User notifications reduce exposure, and segmentation protects internals.

Scope: Isolation targets the remote access server and network segments, with no direct impact on unmanaged PCs.

Justification: This strategy focuses on the vulnerable server, proportionate to the unmitigated zero-day threat.

 Deny Both Ingress and Egress from the remote access server

Rationale: The zero-day enables threat actor access (inbound) and potential exfiltration (outbound). Denying ingress and egress from the server blocks both risks, protecting unmanaged PC users indirectly.

Scope: The rule applies to the remote access server, enforced via firewall or router policies.

Justification: Server-specific restrictions are sufficient, avoiding broader disruption to unmanaged PCs.
Zero-Day Against Citrix/RDS/VMware View Logon Interface, No Patch Network Device
  • Isolate affected remote access server from the internet, restricting both ingress and egress.
  • Disable public-facing logon interface temporarily.
  • Restrict server management access to a secure VLAN.
  • Monitor server logs for exploit attempts.
Rationale, Scope, and Justification

Rationale: The remote access server, a network device, is the primary target. Isolating it (restricting ingress and egress) prevents exploitation, and disabling the logon interface stops attacks. A secure VLAN protects management, and log monitoring detects threats.

Scope: Isolation targets the remote access server, with minimal network impact.

Justification: This focused approach mitigates the unmitigated zero-day risk without broad network disruption.

 Deny Both Ingress and Egress from the remote access server

Rationale: The zero-day risks threat actor access (inbound exploitation) and exfiltration (outbound data). Denying ingress and egress from the server prevents both, ensuring network safety.

Scope: The rule applies to the remote access server, enforced via firewall or router policies.

Justification: Server-specific restrictions address both risks, avoiding unnecessary network-wide measures.
Zero-Day Against Citrix/RDS/VMware View Logon Interface, Patch Available Managed PC
  • Apply patch to remote access server immediately.
  • Isolate server from the internet, restricting both ingress and egress, until patched.
  • Monitor logs for exploit attempts during patching.
  • Verify patch effectiveness post-deployment.
Rationale, Scope, and Justification

Rationale: A patch mitigates the zero-day, but immediate application is critical. Isolating the server (restricting ingress and egress) prevents exploitation during patching. Monitoring logs detects attempts, and verification ensures security.

Scope: Isolation targets the remote access server, with minimal impact on managed PCs.

Justification: This temporary isolation is proportionate, balancing security with minimal disruption until the patch is applied.

 Deny Both Ingress and Egress from the remote access server

Rationale: Until patched, the zero-day risks threat actor access (inbound) and exfiltration (outbound). Denying ingress and egress from the server prevents both during the patching window.

Scope: The rule applies to the remote access server, enforced via firewall or router policies.

Justification: Server-specific restrictions are sufficient, minimizing disruption while the patch is applied.
Zero-Day Against Citrix/RDS/VMware View Logon Interface, Patch Available Unmanaged PC
  • Apply patch to remote access server immediately.
  • Isolate server from the internet, restricting both ingress and egress, until patched.
  • Notify users on unmanaged devices to avoid accessing the service until patched.
  • Monitor logs for exploit attempts during patching.
Rationale, Scope, and Justification

Rationale: The patch addresses the zero-day, but server isolation (restricting ingress and egress) is needed during application. User notifications reduce exposure, and log monitoring detects threats.

Scope: Isolation targets the remote access server, with no direct impact on unmanaged PCs.

Justification: This strategy focuses on the server, proportionate to the temporary risk until patched.

 Deny Both Ingress and Egress from the remote access server

Rationale: The zero-day risks threat actor access (inbound) and exfiltration (outbound) until patched. Denying ingress and egress from the server protects unmanaged PC users during patching.

Scope: The rule applies to the remote access server, enforced via firewall or router policies.

Justification: Server-specific restrictions are sufficient, avoiding broader disruption to unmanaged PCs.
Zero-Day Against Citrix/RDS/VMware View Logon Interface, Patch Available Network Device
  • Apply patch to remote access server immediately.
  • Isolate server from the internet, restricting both ingress and egress, until patched.
  • Restrict server management access to a secure VLAN.
  • Monitor logs for exploit attempts during patching.
Rationale, Scope, and Justification

Rationale: The remote access server requires patching to mitigate the zero-day. Isolation (restricting ingress and egress) prevents exploitation during patching, and a secure VLAN protects management. Log monitoring detects threats.

Scope: Isolation targets the remote access server, with minimal network impact.

Justification: This focused approach mitigates the temporary risk until the patch is applied.

 Deny Both Ingress and Egress from the remote access server

Rationale: Until patched, the zero-day risks threat actor access (inbound) and exfiltration (outbound). Denying ingress and egress from the server ensures safety during patching.

Scope: The rule applies to the remote access server, enforced via firewall or router policies.

Justification: Server-specific restrictions address both risks, avoiding unnecessary network-wide measures.
Single User Compromised, Threat Actor Logged into Environment Managed PC
  • Disable compromised user account.
  • Force re-authentication for all Citrix/RDS/VMware View sessions.
  • Isolate user’s device via EDR, restricting both ingress and egress.
  • Monitor remote access server logs for suspicious activity.
Rationale, Scope, and Justification

Rationale: A compromised user account with active login risks unauthorized access. Disabling the account and forcing re-authentication terminate the threat actor’s session. EDR isolation (restricting ingress and egress) prevents further activity, and log monitoring detects related threats.

Scope: Isolation targets the user’s account and device, with minimal impact on other users.

Justification: This targeted approach addresses the specific compromise without disrupting the entire service.

 No

Rationale: Disabling the account and isolating the device (restricting ingress and egress) prevent threat actor access (C2) and exfiltration. The threat is limited to one user’s session.

Scope: No network-wide rule is applied; isolation is account- and device-specific.

Justification: Targeted measures suffice, avoiding disruptive network-wide restrictions.
Single User Compromised, Threat Actor Logged into Environment Unmanaged PC
  • Disable compromised user account.
  • Block device IP/MAC from remote access service, restricting both ingress and egress.
  • Force re-authentication for all Citrix/RDS/VMware View sessions.
  • Notify user to secure their device.
Rationale, Scope, and Justification

Rationale: Unmanaged PCs require network-level blocking (IP/MAC) to restrict ingress (threat actor access) and egress (exfiltration). Disabling the account and forcing re-authentication terminate the session. User notification encourages cleanup.

Scope: Isolation targets the user’s account and device, with no broad service disruption.

Justification: This proportionate approach targets the specific threat without affecting other users.

 No

Rationale: Account disabling and device blocking (restricting ingress and egress) prevent threat actor access and exfiltration. The compromise is localized to one user’s device.

Scope: No network-wide rule is applied; isolation is account- and device-specific.

Justification: Targeted measures are sufficient, avoiding unnecessary network-wide restrictions.
Single User Compromised, Threat Actor Logged into Environment Network Device
  • Disable compromised user account.
  • Isolate remote access server management interface, restricting both ingress and egress.
  • Force re-authentication for all Citrix/RDS/VMware View sessions.
  • Audit server logs for unauthorized changes.
Rationale, Scope, and Justification

Rationale: A compromised user account risks server access. Disabling the account and forcing re-authentication limit damage. Isolating the management interface (restricting ingress and egress) prevents tampering, and log audits detect compromise.

Scope: Isolation targets the user’s account and server management, with minimal user impact.

Justification: This balanced strategy addresses the threat without shutting down the service.

 No

Rationale: Account disabling and server management isolation (restricting ingress and egress) prevent threat actor control and exfiltration. The threat is confined to one user’s access.

Scope: No network-wide rule is applied; isolation is account- and server-specific.

Justification: Targeted measures suffice, avoiding disruptive network-wide restrictions.
Single User Compromised, Threat Actor Logged In and Escalated to Local Admin Managed PC
  • Disable compromised user account.
  • Isolate user’s device via EDR, restricting both ingress and egress.
  • Force re-authentication for all Citrix/RDS/VMware View sessions.
  • Implement network segmentation to limit lateral movement.
  • Scan device for malware and privilege escalation artifacts.
Rationale, Scope, and Justification

Rationale: Local admin escalation increases the risk of lateral movement and exfiltration. Disabling the account and forcing re-authentication terminate the session. EDR isolation (restricting ingress and egress) prevents further activity, segmentation limits spread, and scanning detects threats.

Scope: Isolation targets the user’s account, device, and affected network segments.

Justification: This approach addresses the escalated threat without broad service disruption, proportionate to a single device.

 Deny Egress from the affected PC

Rationale: Local admin privileges heighten exfiltration risk (outbound data). Denying egress from the affected PC prevents data leaks, while device isolation restricts ingress (C2 access). Network-wide measures are excessive for a single device.

Scope: The rule applies to the affected managed PC, enforced via EDR or firewall rules targeting its IP/MAC.

Justification: Targeted egress restriction, combined with isolation, addresses both risks without disrupting other systems.
Single User Compromised, Threat Actor Logged In and Escalated to Local Admin Unmanaged PC
  • Disable compromised user account.
  • Block device IP/MAC from network access, restricting both ingress and egress.
  • Force re-authentication for all Citrix/RDS/VMware View sessions.
  • Implement network segmentation to limit lateral movement.
  • Notify user to secure their device.
Rationale, Scope, and Justification

Rationale: Local admin escalation on an unmanaged PC risks lateral movement and exfiltration. Disabling the account and forcing re-authentication stop the session. Network-level blocking (restricting ingress and egress) prevents activity, and segmentation limits spread.

Scope: Isolation targets the user’s account, device, and network segments.

Justification: This strategy addresses the escalated threat without broad disruption, suitable for a single device.

 Deny Egress from the affected PC

Rationale: Admin privileges increase exfiltration risk (outbound). Denying egress from the affected PC prevents data leaks, while device blocking restricts ingress (C2 access). Network-wide measures are disproportionate.

Scope: The rule applies to the affected unmanaged PC, enforced via IP/MAC filtering.

Justification: Targeted egress restriction, with isolation, addresses both risks without affecting other systems.
Single User Compromised, Threat Actor Logged In and Escalated to Local Admin Network Device
  • Disable compromised user account.
  • Isolate remote access server management interface, restricting both ingress and egress.
  • Force re-authentication for all Citrix/RDS/VMware View sessions.
  • Audit server logs for unauthorized changes or privilege escalation.
  • Implement network segmentation to limit lateral movement.
Rationale, Scope, and Justification

Rationale: Local admin escalation via the remote access server risks server compromise. Disabling the account and forcing re-authentication limit access. Isolating the management interface (restricting ingress and egress) prevents tampering, and segmentation limits spread.

Scope: Isolation targets the user’s account, server management, and network segments.

Justification: This approach addresses the escalated threat without shutting down the service, proportionate to a single user.

 Deny Egress from the remote access server

Rationale: Admin privileges on the server heighten exfiltration risk (outbound). Denying egress from the server prevents data leaks, while management isolation restricts ingress (C2 access). Network-wide measures are excessive.

Scope: The rule applies to the remote access server, enforced via server-specific firewall rules.

Justification: Server-specific egress restriction, with isolation, addresses both risks without broad disruption.